In the first settlement for HIPAA violations in 2018, Fresenius Medical Care North America (Fresenius) has agreed to pay $3.5 million to the Office for Civil Rights (OCR) to settle allegations against it relating to five data breaches that occurred over a four month period in 2012. Interestingly, the five separate breaches affected the information of 521 individuals, making some question whether the punishment fits the crime.

The data breaches occurred when two desktop computers were stolen during a break-in into one of its facilities; the theft of an unencrypted USB drive; a lost hard drive; a stolen laptop out of an employee’s car; and three desktop computers and an encrypted laptop were stolen out of another of its facilities.

According to the OCR, its investigation into the incidents established that Fresenius failed to conduct a comprehensive and accurate risk analysis to identify risks to ePHI, that it failed to implement policies and procedures regarding the receipt and removal of computer hardware and storage devices from its facilities, that it failed to implement encryption technology,  failed to properly safeguard the physical facilities which led to the theft of desktop computers, and failed to have policies and procedures to address security breaches.

In addition to paying the hefty fine, Fresenius agreed to implement a corrective action plan, including adopting policies and procedures, conduct a comprehensive risk analysis and implement a risk management plan.